Most organizations have more than a dozen security tools and a typical incident investigation process includes analysts looking at these tools for relevant security data. Operating in these tool consoles requires multiple browser tabs, credentials to these tools, and an understanding of their interfaces. This creates challenges for analysts and results in ‘dead time’ through tab switching, copy-pasting documentation, and collecting fragmented information.
Demisto’s interactive investigation features – a ChatOps-based War Room, an ML-powered chatbot, and a robust command-line interface – form a powerful toolkit for analysts to collaborate, run live security commands, and learn from each incident.
Defining Security ChatOps
The simplest way to define ChatOps for security is as a platform for conversation-driven investigations. When security analysts, security tools, chatbots, and IR workflows exist in the same chat window and reinforce each other in a virtuous cycle: that’s ChatOps in action. All these components feed each other in a virtuous cycle, enabling investigation, collaboration, and documentation at one source.
The Need For Interactive Investigation
Lack of skilled analysts
With a shortage of millions of analysts expected over the coming years, many SOCs are understaffed, leading to increased workload, stress, and rate of error among staffed analysts.
Rising alert numbers
With an increased threat surface, a greater number of entry vectors for attackers, and an increase in specialized cyber security tools, the number of alerts are constantly on the rise. Analysts need help in identifying false positives, duplicate incidents, and keeping the alert numbers in check without burning out
Analysts use numerous tools – both within and outside the purview of security – to coordinate and action their response to incidents. A recent NASDAQ report stated that the average organization uses up to 15 products! This involves lots of screen switching, fragmented information, and disjointed record keeping
Siloed work environments
An implicit but dangerous problem that mid to large sized SOCs face is security analyst tunnel vision and extreme narrowing of skill-sets. There is rarely, if ever, any cross-pollination of skills across analysts that result in effective joint investigations and reduced resolution times.
The Bus Factor
Since security analysts are at such a premium, a sudden personnel loss can leave SOCs in a state of disarray. Senior analysts take most of their expertise with them when they leave and little knowledge remains stored within the organization.